Re: HTML email, was Re: Phishing and BGP Blackholing

• Previous message: Fergie: "Re: HTML email, was Re: Phishing and BGP Blackholing"
• In reply to: Matthew Black: "Re: HTML email, was Re: Phishing and BGP Blackholing"
• Next in thread: Randy Bush: "Re: HTML email, was Re: Phishing and BGP Blackholing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Thu, Jan 18, 2007 at 07:05:25AM -0800, Matthew Black wrote:
> This presupposes that corporations have a more significant claim
> to domain names than individuals.

Not necessarily; if I am providing login details to a phishing site, I
have probably visited the actual business web site before to create
those credentials in the first place. Were they to use a consistent
naming strategy, for example always using the same suffix, then I have
a simple rule for avoiding [most] phishing sites; validate the suffix.

More generally, authenticating the identity of someone you share a piece
of information (or history) with is a much more tractable problem than
authenticating someone you don't share anything with. That is probably
unsolvable via technical means.

As you point out, there still exists the risk of providing personal
details to the wrong site, but phishing sites so far haven't commonly
focused on gathering details for future identity fraud.

-- 
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>

• application/pgp-signature attachment: stored

• Previous message: Fergie: "Re: HTML email, was Re: Phishing and BGP Blackholing"
• In reply to: Matthew Black: "Re: HTML email, was Re: Phishing and BGP Blackholing"
• Next in thread: Randy Bush: "Re: HTML email, was Re: Phishing and BGP Blackholing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]